Pulpbackup and restricted-v2 SCC

aisachenka · June 4, 2026, 1:25pm

Problem: pulp controller can’t create backup-manager pod after pulpbackup CR created. As result backup itself is not created

Expected outcome: backup is created

Pulpcore version: 3.110.0

Operating system - distribution and version: helm chart 0.7.0, Openshift 4.16
Details: I’ve installed pulp operator via helm, and want to configure backups. When pulpbackup CR is created, I see in the pulp controller pod errors
pulp-operator-controller-manager-bfc9c5699-69hzw 2026-06-02T07:05:59Z ERROR backup/controller.go:295 Failed to create new backup manager Pod {"Pod.Namespace": "pulp-ocp-2vlx-syst", "Pod.Name": "pulpbackup-backup-manager", "error": "pods \"pulpbackup-backup-manager\" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/pulpbackup-backup-manager]: Forbidden: seccomp may not be set, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{700}: 700 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 700: must be in the ranges: [1001300000, 1001309999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{700}: 700 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 700: must be in the ranges: [1001300000, 1001309999], provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"noobaa-core\": Forbidden: not usable by user or serviceaccount, provider \"noobaa-db\": Forbidden: not usable by user or serviceaccount, provider \"noobaa-endpoint\": Forbidden: not usable by user or serviceaccount, provider \"noobaa\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"elasticsearch-scc\": Forbidden: not usable by user or serviceaccount, provider \"logging-scc\": Forbidden: not usable by user or serviceaccount, provider \"twistlock-console\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"twistlock-scc\": Forbidden: not usable by user or serviceaccount, provider \"ocs-metrics-exporter\": Forbidden: not usable by user or serviceaccount, provider \"rook-ceph\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"rook-ceph-csi\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden: not usable by user or serviceaccount]"}

pulp-operator-controller-manager-bfc9c5699-69hzw 2026-06-02T07:05:59Z ERROR controller/controller.go:474 Reconciler error {"controller": "pulpbackup", "controllerGroup": "repo-manager.pulpproject.org", "controllerKind": "PulpBackup", "PulpBackup": {"name":"pulpbackup","namespace":"pulp-ocp-2vlx-syst"}, "namespace": "pulp-ocp-2vlx-syst", "name": "pulpbackup", "reconcileID": "72360aa9-5737-46ed-862e-d21ee43a9302", "error": "pods \"pulpbackup-backup-manager\" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/pulpbackup-backup-manager]: Forbidden: seccomp may not be set, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{700}: 700 is not an allowed group, provider restricted-v2: .containers[0].runAsUser: Invalid value: 700: must be in the ranges: [1001300000, 1001309999], provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{700}: 700 is not an allowed group, provider restricted: .containers[0].runAsUser: Invalid value: 700: must be in the ranges: [1001300000, 100130999[], provider \"nonroot-v2\": Forbidden: not usable by user or serviceaccount, provider \"nonroot\": Forbidden: not usable by user or serviceaccount, provider \"noobaa-core\": Forbidden: not usable by user or serviceaccount, provider \"noobaa-db\": Forbidden: not usable by user or serviceaccount, provider \"noobaa-endpoint\": Forbidden: not usable by user or serviceaccount, provider \"noobaa\": Forbidden: not usable by user or serviceaccount, provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount, provider \"elasticsearch-scc\": Forbidden: not usable by user or serviceaccount, provider \"logging-scc\": Forbidden: not usable by user or serviceaccount, provider \"twistlock-console\": Forbidden: not usable by user or serviceaccount, provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork-v2\": Forbidden: not usable by user or serviceaccount, provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount, provider \"hostaccess\": Forbidden: not usable by user or serviceaccount, provider \"twistlock-scc\": Forbidden: not usable by user or serviceaccount, provider \"ocs-metrics-exporter\": Forbidden: not usable by user or serviceaccount, provider \"rook-ceph\": Forbidden: not usable by user or serviceaccount, provider \"node-exporter\": Forbidden: not usable by user or serviceaccount, provider \"rook-ceph-csi\": Forbidden: not usable by user or serviceaccount, provider \"privileged\": Forbidden:not usable by user or serviceaccount]"}

Can it be workarounded/fixed somehow?
Thanks in advance

hyagi · June 5, 2026, 7:27pm

Hi @aisachenka,

It seems like this is a bug in OCP cluters deployments where we are hardcoding the user/fsGroup https://github.com/pulp/pulp-operator/blob/0c3f4c6c61a1452ca54d4ff998b353931e8532d8/controllers/backup/controller.go#L260-L261 and then setting the PodSecurityContext with these values https://github.com/pulp/pulp-operator/blob/0c3f4c6c61a1452ca54d4ff998b353931e8532d8/controllers/backup/controller.go#L287, but the ocp restricted-v2 SCC rejects them (they are not within the namespace’s allocated range).

As a workaround, if you have admin privileges in your ocp cluster, you could create a custom scc to allow the pod to run with the user 700 (https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/authentication_and_authorization/managing-pod-security-policies#security-context-constraints-creating_configuring-internal-oauth). Something like:
THIS IS JUST AN EXAMPLE! I COULD NOT TEST IT!

create the custom scc

oc apply -f-<<EOF
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: pulp-backup-scc
  namespace: pulp-ocp-2vlx-syst
allowPrivilegeEscalation: false
runAsUser:
  type: MustRunAs
  uid: 700
fsGroup:
  type: MustRunAs
  ranges:
      - min: 700
        max: 700 seLinuxContext:                                                                                                                                                                                                                             
  type: MustRunAs
EOF

bind it to the operator’s service account:

oc adm policy add-scc-to-user pulp-backup-scc -z pulp-operator-controller-manager -n pulp-ocp-2vlx-syst

Even though the fix would not be difficult to implement, I don’t know if we will be able to work on it in the next few days.